格密码学之环基础
相关主题
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
2002 Micciancio’s ring-based one-way function with worst-case hardness from ideal lattices (no encryption) 2005 Regev’s LWE: encryption with worst-case hardness (inefficient)
2
3
Selected bibliography:
LPR’10 and ’13 V. Lyubashevsky, C. Peikert, O. Regev. “On Ideal Lattices and Learning with Errors Over Rings,” Eurocrypt’10 and JACM’13. “A Toolkit for Ring-LWE Cryptography,” Eurocrypt’13. BV’11 Z. Brakerski and V. Vaikuntanathan. “Fully Homomorphic Encryption from Ring-LWE. . . ” CRYPTO’11.
Cryptography from Rings Chris Peikert
University of Michigan
HEAT Summer School 13 Oct 2015
1 / 13
Agenda
1
Polynomial rings, ideal lattices and Ring-LWE Basic Ring-LWE encryption Fully homomorphic encryption
4 / 13
Cyclotomic Rings
The mth cyclotomic ring is R = Z[ζ ] where ζ = ζm has order m. I.e., ζ m = 1 and ζ j = 1 for 1 < j < m. Fact: X m − 1 = Φm (X ) =
0 , . . . ζ k−1 , ζ k+1 , . . . , ζ p−1 }. There are other Z-bases, e.g., {ζp p p p
4 / 13
Cyclotomic Rings
Key Facts
1
For prime p: Φp (X ) = 1 + X + X 2 + · · · + X p−1 .
3 / 13
2010 Ring-LWE: very efficient encryption, worst-case hardness
Cyclotomic Rings
The mth cyclotomic ring is R = Z[ζ ] where ζ = ζm has order m. I.e., ζ m = 1 and ζ j = 1 for 1 < j < m.
2002 Micciancio’s ring-based one-way function with worst-case hardness from ideal lattices (no encryption) 2005 Regev’s LWE: encryption with worst-case hardness (inefficient) 2008– Countless applications of LWE (still inefficient)
2 / 13
Rings in Lattice Cryptography (A Selective History)
1996-97 Ajtai(-Dwork) worst-case/average-case reduction, one-way function & public-key encryption (very inefficient)
(X − ω i ) ∈ Z[X ],
Therefore, Z[ζ ] ∼ = Z[X ]/Φm (X ) via ζ ↔ X . ω3 ω1 ω4 ω5 ω5 ω7 ω7 ω8 ω2 ω1
Φ8 (X ) = 1 + X 4
Φ9 (X ) = 1 + X 3 + X 6
4 / 13
Cyclotomic Rings
3 / 13
Rings in Lattice Cryptography (A Selective History)
1996-97 Ajtai(-Dwork) worst-case/average-case reduction, one-way function & public-key encryption (very inefficient) 1996 NTRU efficient “ring-based” encryption (heuristic security)
The mth cyclotomic ring is R = Z[ζ ] where ζ = ζm has order m. I.e., ζ m = 1 and ζ j = 1 for 1 < j < m. Fact: X m − 1 = Φm (X ) =
i∈Z∗ m d|m Φd (X )
for irredΒιβλιοθήκη Baiducible √ ω = exp(2π −1/m) ∈ C.
i∈Z∗ m d|m Φd (X )
for irreducible √ ω = exp(2π −1/m) ∈ C.
(X − ω i ) ∈ Z[X ],
4 / 13
Cyclotomic Rings
The mth cyclotomic ring is R = Z[ζ ] where ζ = ζm has order m. I.e., ζ m = 1 and ζ j = 1 for 1 < j < m. Fact: X m − 1 = Φm (X ) =
3 / 13
Rings in Lattice Cryptography (A Selective History)
1996-97 Ajtai(-Dwork) worst-case/average-case reduction, one-way function & public-key encryption (very inefficient) 1996 NTRU efficient “ring-based” encryption (heuristic security)
5 / 13
Cyclotomic Rings
Key Facts
1 2
For prime p: Φp (X ) = 1 + X + X 2 + · · · + X p−1 . For m = pe : Φm (X ) = Φp (X m/p ) = 1 + X m/p + · · · + X m−m/p . So it can be cumbersome to work with Z[X ]/Φm (X ).
i∈Z∗ m d|m Φd (X )
for irreducible √ ω = exp(2π −1/m) ∈ C.
(X − ω i ) ∈ Z[X ],
ω3
ω1 ω4 ω5
ω2
ω1
ω5
ω7
ω7
ω8
Φ8 (X ) = 1 + X 4
Φ9 (X ) = 1 + X 3 + X 6
4 / 13
Cyclotomic Rings
5 / 13
Cyclotomic Rings
Key Facts
1 2
For prime p: Φp (X ) = 1 + X + X 2 + · · · + X p−1 . For m = pe : Φm (X ) = Φp (X m/p ) = 1 + X m/p + · · · + X m−m/p .
1996-97 Ajtai(-Dwork) worst-case/average-case reduction, one-way function & public-key encryption (very inefficient) 1996 NTRU efficient “ring-based” encryption (heuristic security)
3 / 13
Rings in Lattice Cryptography (A Selective History)
1996-97 Ajtai(-Dwork) worst-case/average-case reduction, one-way function & public-key encryption (very inefficient) 1996 NTRU efficient “ring-based” encryption (heuristic security)
3 / 13
Rings in Lattice Cryptography (A Selective History)
1996-97 Ajtai(-Dwork) worst-case/average-case reduction, one-way function & public-key encryption (very inefficient) 1996 NTRU efficient “ring-based” encryption (heuristic security)
(X − ω i ) ∈ Z[X ],
Therefore, Z[ζ ] ∼ = Z[X ]/Φm (X ) via ζ ↔ X . We have deg(R) = deg(Φm ) = n := ϕ(m), and R has a Z-basis {ζ 0 , ζ 1 , . . . , ζ n−1 }: the power basis. This corresponds to Z[X ]/Φm (X ) representation.
2002 Micciancio’s ring-based one-way function with worst-case hardness from ideal lattices (no encryption)
3 / 13
Rings in Lattice Cryptography (A Selective History)
The mth cyclotomic ring is R = Z[ζ ] where ζ = ζm has order m. I.e., ζ m = 1 and ζ j = 1 for 1 < j < m. Fact: X m − 1 = Φm (X ) =
i∈Z∗ m d|m Φd (X )
for irreducible √ ω = exp(2π −1/m) ∈ C.
i∈Z∗ m d|m Φd (X )
for irreducible √ ω = exp(2π −1/m) ∈ C.
(X − ω i ) ∈ Z[X ],
Therefore, Z[ζ ] ∼ = Z[X ]/Φm (X ) via ζ ↔ X . We have deg(R) = deg(Φm ) = n := ϕ(m), and R has a Z-basis {ζ 0 , ζ 1 , . . . , ζ n−1 }: the power basis. This corresponds to Z[X ]/Φm (X ) representation.
2002 Micciancio’s ring-based one-way function with worst-case hardness from ideal lattices (no encryption) 2005 Regev’s LWE: encryption with worst-case hardness (inefficient) 2008– Countless applications of LWE (still inefficient) ()
4 / 13
Cyclotomic Rings
The mth cyclotomic ring is R = Z[ζ ] where ζ = ζm has order m. I.e., ζ m = 1 and ζ j = 1 for 1 < j < m. Fact: X m − 1 = Φm (X ) =